It is an advertising software designed to redirect requests to other web resources.

Technical Details

Installation

The malicious program represents a loader of legal software installer – Xvid codec pack (http://www.xvid.org/). However, the malicious program does not only download Xvid installer, but installs components which allow tracking search requests the user enters to the browser address bar.

Once launched, the malicious software gathers the following information about infected system:

IP address

Windows Product ID. With that, system registry key value is read:

[HKLM\Software\Microsoft\Windows\CurrentVersion]

"ProductId"

Hard disk serial number

Computer name

User name

OS version

Then, gathered information is sent to one of the servers:

cfgi.clickpotato.tv

tei.clickpotato.tv

Afterwards, an updated version of the malicious software is downloaded from the server and saved in the temporary folder of the current user:

%Temp%\upg<random 2 digit number>.tmp

When the description was created, the file (size: 247992 bytes) was downloaded;

Once the file is successfully downloaded, the installer is launched for execution. The installer dialog box is as follows:

Payload

The malicious program injects the following library:

%Program Files%\BasicScan\basicscan.dll

into the address space of the process started by the browser user. This allows the malicious program to track search queries the user types in the address bar and return a list of URLs received from the server:

www.basicscan.com

In addition, the malicious software can updates its components downloading those updates from the intruder’s server.

Removal Recommendations

If you have not used any antivirus program to protect your computer from viruses and it gets infected with this malicious program, follow the steps listed below to remove it: